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(57) ABSTRACT 

A method for providing single step log-on access for a 
subscriber to a computer network. The computer network is 
differentiated into public and private areas. Secure access lo 
the private areas is provided by a Service Selection Gateway 
(SSG) Server, introduced between a conventional Network 
Access Server (NAS) and an Authentication Authorization 
and Accounting (AAA) Server. The SSG Server intercepts 
and manipulates packets of data exchanged between the 
NAS and the AAA Server to obtain all the information it 
needs to automatically log the user on when the user logs on 
to the NAS. An authorized user is thus spared the task of 
having to re-enter usernamc and password data or launch a 
separate appHcation in order lo gain secure access to private 
areas of the network. 

28 Claims, 2 Drawing Sheets 
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METHOD FOR PROVIDING SINGLE STEP 
LOG-ON ACCESS TO A DIFFERENTIATED 
COMPUTER NETWORK 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention relates to a method for providing 
simplified access to subscribers of a differentiated computer 
network. Specifically, the present invention relates to a 
method for allowing single step log-on access to a network 
having more than one separate access area, such as a 
network divided into both public and private areas, where 
access to public areas is provided by a conventional Net- 
work Access Server, or NAS, and access to private areas is 
provided by a separate Service Selection Gateway, or SSG. 

2. Background 

Every day, millions of people around the world perform 
the modern ritual of the network *' log-on." From the user 
standpoint, the process is simple: if all goes well, after a 
click of the mouse, and perhaps a few quick keystrokes, the 
short melodic overture of computers exchanging bits begins, 
and the intrepid user soon finds himself speeding down the 
Information Superhighway. Mercifully, the user is usually 
spared from having to know anything about the technical 
details of the log-on procedure, which involves multiple 
servers working in concert to handle the thousands of 
subscribers who seek access to the network at any given 
time. The continued success of computer networking tech- 
nology depends on keeping access easy. As networks have 
evolved, however, they have begun to differentiate into areas 
that provide specialized services to selected users. Because 
of this trend, security and user-authorization protocols are 
becoming more complicated, often in ways that conflict with 
the need for easy accessibility. 

In order to gain access to a computer network, such as the 
World-Wide -Web, or the Internet, or a private Intranet 
network, a user must first dial-in or otherwise connect to a 
Network Access Server, or NAS. The NAS serves as a gate 
between the computer network and the user. As a threshold 
matter, the NAS must authenticate the identity of the sub- 
scriber in order to ascertain the nature and scope of the 
services that it will provide. Of course, if the network is 
differentiated into public areas that are accessible to all 
subscribers generally, and private areas that are accessible 
only to authorized subscribers, then the user's identity is 
particularly important. 

The authentication procedure generally involves another 
server, herein referred to as an Authentication, 
Authorization, and Accounting Server, or an AAA Server. 
The NAS is a client of the AAA Server, which may serve 
several client NAS's simullaneotisly. The NAS and the AAA 
Server communicate with one another according to a stan- 
dard Internet protocol, such as the Remote Authentication 
Dial-In User Service (RADIUS) protocol, developed by 
Livingston Enterprises of Pleasanton, Calif. The description 
of the authentication procedure that follows is based on the 
RADIUS protocol. 

Typically, the user begins his or her session on the 
network by first launching a dial-in application on his or her 
personal computer or PC that prompts the user to enter some 
form of user identification, like a user-name, and a private 
password. Such information may also be stored on and 
automatically provided by the PC. The dial-in application 
contacts an NAS, for instance, via modem and telephone 
line, and provides the NAS with the user-entered informa- 
tion. The password data are usually encrypted using methods 
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well-known to those of ordinary skill in the art. The NAS 
then prepares and sends an "access-request" packet to the 
AAA Server. The access request packet contains the data 
entered by the user, as well as additional data identifying the 

5 particular NAS client from which the packet was sent. 

The AAA Server contains a large database of stored 
information on the accounts of each subscriber, including 
user-names, encrypted passwords and configuration infor- 
mation detailing the type of service that is to be provided to 

10 each user. When the AAA Server receives an access-request 
packet from an authorized NAS client, it consults its data- 
base of users to find the account entry for the user identified 
by the information contained in the access-request packet. 
The account entry will often specify certain requirements 

15 that must be met in order for the user to gain access to the 
network, including information on the chents and ports on 
the network which the user is allowed to access. An impor- 
tant requirement, of course, is that the password entered by 
the user match the password specified in the account entry 

^0 on the AAA database. If the passwords match, and all the 
other requirements are met, then the AAA Server sends the 
NAS an "access-accept" packet in response. The access- 
accept packet contains configuration data that enable the 
NAS to provide the desired service to the user. 

If any requirement is not met, then the AAA Server 
responds with an "access-reject** packet indicating that the 
user request in invalid. The access- reject packet may also 
contain text messages which may be delivered to the user by 
the NAS. Even if all the requirements are met, the AAA 
Server may still deny immediate access to the user and 
instead issue an "access-challenge" packet that prompts the 
user for new information before access is finally granted. 

In order for the network to communicate with the user, the 
user must be assigned an IP address. User IP addresses are 
usually assigned dynamically, meaning that a user^s IP 
address can change from session to session. The IP address 
can be assigned either by the AAA Server, or by the NAS. 
Once an IP address has been assigned to the user, the user is 
logged-on to the NAS and can begin his or her session on the 
network. After logging the user on, the NAS sends an 
"accounting-start" packet to the AAA Server, containing 
information regarding, for instance, the time at which the 
user^s session begins, or other administrative and accounting 
, data, that can be stored on the AAA Server's database. 

45 

A complication in this scheme arises when the network 
contains private areas whose access is regulated by a third 
server, herein referred to as a Service Selection Gateway, or 
SSG Server. The SSG Server is inserted between the NAS 

50 and the AAA Server, and its function is to create secure 
channels to private areas of the network for authorized users 
only. In order to access these private areas, an authorized 
user must somehow log-on to the SSG server as well. 
Of course, it is possible to simply inflict upon the user the 

55 job of performing a second log-on to the SSG Server after 
the first log-on to the NAS. This approach is rather cum- 
bersome and inelegant, however, and it requires the use of a 
separate and largely redundant software appUcation on the 
user's PC, called a "dashboard." In order for an authorized 

60 user to access private areas of the network through the SSG 
Server, he or she must first log on to the network using the 
primary dial-in application, then launch the dashboard, and 
then log on a second time with the SSG Server. 

This solution leaves much to be desired. The torment that 

65 comes from staring at pixellated cartoons of tiny telephones 
on a computer monitor, occasionally for minutes at a time, 
as a PC attempts to log-on to a heavily -trafficked network, 
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is already an ail-too familiar source of frustration to many FIGS. 2A, 2B, and 2C are drawings illustrating the order 

subscribers of computer network services. Such delays can in which packets are exchanged in a network of three servers 

be caused, for instance, by the large number of access during log-on. 
requests that must be handled by the AAA Server. The 

second log-on to the SSG Server requires a second autho- 5 DETAILED DESCRIPTION OF THE 

rization to access data from a private network and therefore INVENTION 

simply adds unnecessarily to the traffic seen by the AAA ^h^se of ordinary skill in the art will realize that the 

Server. It also requires the user to re-enter his or her following description of the present invention is illustrative 

usemame and password. only and is not intended to be in any way limiting. Other 
Unfortunately, it is not enough to simply pass usemame lO embodiments of the invention will readily suggest them- 

and password information from the NAS to the SSG Server. selves to such skilled persons from an examination of the 

Without the user IP address, the SSG Server has no way to within disclosure. 

send infonnation from the private areas of the network to the ^ presently-preferred embodiment of the invention, 

user. While it might be possible to reconfigure the NAS to illustrated in HG. I, a subscriber PC 1 to a computer 
provide the IP address to the SSG Server directly, or demand 15 ^^^^^^^ ^ ^^^^^ ^^^^ ^^^^.^ ^^^^^ ^^^^^ ^ ^ ^ ^^^^^ 

that IP addresses are assigned by the AAA Server instead of ^ Network Access Server, or NAS 2. The NAS 2 is Unked 

the NAS, a more practical solution would view both the ^ Authentication, Authorization, and Accounting Server, 

NAS and AAAServer as fixed and mviolate, and would seek ^r AAA Server 4 through a Service Selection Gateway, or 

instead to adapt the behavior of the SSG Server. 3 ^AS 2, SSG 3, and AAA 4 Servers communi- 

Accordingly, it is an object and advantage of the present cate with one-another according to the Remote Access 

invention to provide single step log-on access to a differen- Dial- in User Service protocol, or RADIUS. The details of 

tiated computer network having more than one separate the RADIUS protocol are well-known to those of ordinary 

access area, such as a network divided into both public and skill in the art. Moreover, as will be apparent to those of 

private areas, where access to public areas is provided by a ordinary skill in the art, only a few general features of the 
conventional Network Access Server, or NAS, and access to ^ RADIUS protocol are utilized by the present invention. The 

private areas is provided by a separate Service Selection methods of present invention described herein are therefore 

Gateway, or SSG. applicable to any other authentication protocol equivalent in 

Another object and advantage of the present invention is relevant part to the RADIUS protocol, 

to provide single step log-on access to a differentiated In essence, the need for a second log -on to the SSG Server 

computer network having more than one separate access 3 is obviated by allowing the SSG Server 3 to intercept and 

area, such as a network divided into both public and private forward all packets of data exchanged between the NAS 2 

areas, where access to public areas is provided by a con- and the AAA Server 4. To the NAS 2, the SSG Server 3 

ventional NAS, and access to private areas is provided by an simply acts as a proxy AAA Server 4. The presence of the 

SSG, without altering the behavior of the NAS. SSG Server 3 is unfelt by the NAS 2, which continues to 

Another object and advantage of the present invention is behave exactly as if were connected directly to the AAA 

to provide single step log-on access to a differentiated Server 4. By "eavesdropping" on the communications 

computer network having more than one separate access between the NAS 2 and the AAAServer 4, the SSG Server 

area, such as a network divided into both public and private 3 is able to obtain aU the information it needs to log the user 
areas, where access to public areas is provided by a con- 40 on automatically, without requiring the user to re-enter data, 

ventionalNAS, and access to private areas is provided by an or to launch a separate application. The methods of the 

SSG, without altering the behavior of the AAA Server. present invention do not require any alteration in the behav- 

Yet another object and advantage of the present invention ^AS 2, or the AAA Server 4. 

is to provide single step log-on access to a differentiated As described above, the user initiates a session on the 
computer network having more than one separate access 45 network 5 by launching a dial-up application on his or her 

area, such as a network divided into both public and private subscriber PC 1. The dial-up application prompts the user 

areas, without the need for a separate dashboard application. for user-name and password information, and contacts the 

NAS 2. The NAS 2 prepares an access-request packet 

BRIEF DESCRIPTION OF THE INVENTION containing the user-specified infonmation, as well as infor- 

50 mation about the NAS client 2 itself. Instead of being 

The present invention is a method for providing smgle delivered directly to the AAAServer 4, however, the access- 
step log-on access for a subscnber to a differentiated com- ^^^^^^^ ^^^^^^ intercepted by the SSG Server 3, at 
puter network having more than one separate access area. g^^p 200. Since the access-request packet contains usemame 
The method involves intercepting packets of data between password information, receipt of the access-request 
the NAS and the AAA Server with an SSG Server, and packet by the SSG Server 3 supplants the need for requiring 
manipulatmg these packets to obtam mforaaation needed by ^^ppjy information to the SSG Server 3 using 
the SSG Server to log the user on automatically, without ^ separate dashboard application. However, as described 
requinng the user to re-enter username and password data, ^^ove, the SSG Server 3 still needs the user IP address to 
or launch a separate application. Once the user is logged-on complete the log-on procedure. The user IP address, 
to the SSG Server, the SSG is able to provide the user with however, has not yet been assigned, and extra steps must be 
secure access to additional areas of the network. From the ^^^^^ j^^^^ ggQ 3^^^^ 3 officially log the user on. 
user's point of view, the log-on procedure with the SSG 5^^^^ 3 ^^^^^^^ access-request packet to 
Server is identical to the log-on procedure without it. ^ ^^^^^ ^ ^^^^ 202. The AAA Server 4 first 

BRIEF DESCRIPTION OF THE HGURES authenticates the user by checking the data attributes in the 

65 access-request packet against its account database. The AAA 

FIG. 1 is a schematic drawing of a network of three Server 4 then responds to the access-request by issuing an 

servers and a differentiated computer network. access-reply packet back to the SSG Server 3 at step 204. If 
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the user authentication check is successful, then the AAA 
Server 4 may assign an IP address to the user and include 
this IP address in the access-reply packet. The SSG server 3 
then checks for an IP address in the access-reply packet. If 
the SSG Server 3 finds an IP address, then the SSG Server 5 
3 can log the user on with the IP address provided by the 
AAA Server 4, and then forward the access-reply packet on 
to the NAS 2 immediately at step 206. Oace the access-reply 
packet is received by the NAS 2, it may then log the user on 
as well, and the user session can begin. 

If the AAA Server 4 authorizes the user but does not 
assign an IP address, then the SSG Server 3 can log the user 
on with a dumniy temporary IP address. It then assigns the 
user an identification number that it inserts into the access- 
reply packet before forwarding the access-reply packet to 
the NAS 2 at step 206. The identification number is written 
as a special attribute in the access-reply packet, called a 
"class attribute" in the RADIUS protocol. The class attribute 
is read and stored by the NAS 2 and echoed back unchanged 
in subsequent packets. The temporary IP address can be used 20 
as an identification number. 

Upon receipt of the access-reply packet authorizing the 
user to access the network, the NAS 2 assigns a genuine IP 
address to the user and logs the user on. At step 208, the 
NAS 2 then prepares and sends an "accounting-start" packet 25 
to the AAA Server 4, containing information such as the 
time at which the user began his or her session, as well as 
the genuine IP address assigned to the user by the NAS 2. 
The accounting-start packet serves an administrative func- 
tion and would be prepared and sent by the NAS 2 even 30 
without the presence of an SSG Server 3. The accounting 
start packet is intercepted by the SSG Server 3 on its way to 
the AAA Server 4, and will contain not only an IP address, 
but also the class attribute identifying the user to whom the 
IP address belongs. With these two pieces of information, 35 
the SSG Server 3 can replace the dummy IP address with the 
genuine IP address for the user, and log the user on officially. 
Finally, the SSG Server 3 forwards the accounting start 
packet to the AAA Server 4 at step 210. 

In short, the user can now log on to both the NAS 2 and 40 
the SSG Server 3, without having to launch a second 
application, or perform a separate log-on to the SSG Server 
3. From the vantage point of the user, the log-on procedure 
does not change in any way with the addition of the SSG 
Server 3. Because of the presence of the SSG Server 3, 45 
however, an authorized user is now able to gain secure 
access to, for example, private areas of the network, with the 
same ease that he or she is able to access the public areas. 
Alternative Embodiments 

Although illustrative presently preferred embodiments 50 
and applications of this invention are shown and described 
herein, many variations and modifications are possible 
which remain within the concept, scope, and spirit of the 
invention, and these variations would become clear to those 
of skill in the art after perusal of this application. For 55 
example, the invention can be used with any type of con- 
nection between a user and an NAS and need not be limited 
to dial-up telephone connections. The invention, therefore, 
is not intended to be limited except in the spirit of the 
appended claims. 60 

What is claimed is: 

1. A method for providing single step log-on access to a 
subscriber of a computer network having a first area and a 
second area, said method comprising: 

linking a Service Selection Gateway (SSG) Server to a 65 
Network Access Server (NAS), said NAS providing the 
subscriber with access to the first area, and said SSG 
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Server providing the subscriber with access to the 
second area, wherein the subscriber suppUes data pack- 
ets to log-on to said NAS for said access to the first 
area; 

linking said SSG Server to an Authentication Authoriza- 
tion and Accounting (AAA) Server; 

intercepting and forwarding said data packets sent 
between said NAS and said AAA Server by said SSG 
Server; 

processing information in said data packets for enabling 
said SSG Server to automatically log the subscriber on 
to said SSG Server when the subscriber logs on to said 
NAS. 

2. A method for providing single step log-on access for a 
subscriber of a computer network having a first area and a 
second separate area, said method comprising: 

establishing a connection between the subscriber and a 
Network Access Server (NAS); 

routing access-request packets from said NAS to a Ser- 
vice Selection Gateway (SSG) Server; 

utiUzing information in said access-request packets to 
initiate log-on for the subscriber to the second area; 

routing said access-request packets from said SSG Server 
to an Authentication Authorization and Accounting 
(AAA) Server to initiate log-on for the subscriber to the 
first area; and 

routing access-reply packets responsive to said access- 
request packets from said AAA Server back to said 
NAS via said SSG Server to complete log-on for the 
subscriber to the first and second areas. 

3. A method for providing single step log-on access to a 
subscriber of a computer network, said computer network 
differentiated into a plurality of areas, said method includ- 
ing: 

sending an access-request packet from a Network Access 
Server (NAS) to a Service Selection Gateway (SSG) 
Server when said subscriber connects to said NAS, 
according to a commimications protocol; 
forwarding said access-request packet to an Authentica- 
tion Authorization and Accounting (AAA) Server; 
in reply to said access-request packet, sending an access- 
reply packet from said AAA Server back to said SSG 
Server according to said communications protocol; 
checking if said access-reply packet contains an Internet 
Protocol (IP) address for said subscriber, said IP 
address assigned by said AAA Server; 
if said access-reply packet contains said IP address, then: 
logging said subscriber on to said SSG Server with said 
IP address, if said access-reply packet contains 
authorization from said AAA Server; 
forwarding said access-reply packet to said NAS 

according to said communications protocol; and 
logging said subscriber on to said NAS with said IP 
address, if said forwarded access-reply packet con- 
tains authorization from said AAA Server; or 
if said access-reply packet does not contain said IP 
address, then: 

logging said subscriber on to said SSG server with a 
temporary dummy IP address, if said access-reply 
packet contains authorization from said AAA 
Server; 

assigning a user identification number to said sub- 
scriber; 

forwarding said access-reply packet and said user 
identification number to said NAS, according to 
said communications protocol; 
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logging said subscriber on to said NAS with a 
genuine IP address, if said forwarded access-reply 
packet contains authorization from said AAA 
Server; 

sending an accounting-start packet from said NAS to S 
said SSG Server, said accounting -start packet con- 
taining said genuine IP address and said user 
identification number, according to said conomu- 
nications protocol; 

reading said accounting-start packet to determine lO 
said genuine IP address of said subscriber; 

replacing said temporary dummy IP address with 
said genuine IP address on said SSG Server; and 

forwarding said accounting-start packet to said AAA 
Server. 15 

4. The method of claim 3, wherein said communications 
protocol is the Remote Authentication Dial-In User Service 
(RADIUS) protocol. 

5. The method of claim 4, wherein said forwarding step 
further comprises the sub-step of: 20 

writing said user identification number into said access- 
reply packet as a RADIUS Attribute. 

6. The method of claim 5, wherein said RADIUS Attribute 
is a RADIUS Qass Attribute. 

7. The method of claim 3, wherein said user identification 25 
number is said temporary dummy IP address. 

8. An apparatus for providing a single step log-on access 
for a subscriber of a computer network having a first area 
and a second area, said computer network having a Network 
Access Server (NAS) and an Authentication Authorization ^0 
and Accounting (AAA) Server, said NAS providing access 
for the subscriber to said first area, said apparatus compris- 
ing: 

a Service Selection Gateway (SSG) Server for providing 
access for the subscriber to the second area, said SSG 
Server connected between the NAS and the AAA 
Server, said SSG Server receiving an access-request 
packet from the NAS when the subscriber connects to 
the NAS, forwarding said access-request packet to the 
AAA Server, receiving an access-reply packet from the 
AAA Server when the AAA Server receives said 
access- request packet, and forwarding said access- 
reply packet to the NAS; and 

a processor for processing information in said access- 
reply packet for enabling said SSG Server to automati- 
cally log the subscriber onto said SSG Server when the 
subscriber logs onto the NAS. 

9. The apparatus according to claim 8 wherein said SSG 
Server and said processor may be replaced by a single 
device. 

10. The apparatus of claim 8, wherein the subscriber 
connects to said NAS according to a communications pro- 
tocol. 

11. An apparatus of claim 10 wherein said communica- 
tions protocol is the Remote Authentication Dial-In User 
Service (RADIUS) protocol. 

12. A system for providing a single step log-on access for 
a subscriber of a computer network having a first area and 
a second area, said apparatus comprising: 

a Network Access Server (NAS) for providing access for 
the subscriber to the first area, said NAS sending an 
access-request packet when the subscriber connects to 
said NAS according to a communications protocol; 

an Authentication Authorization and Accounting (AAA) 65 
Server for receiving said access-request packet and 
sending an access-reply packet in response; 
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a Service Selection Gateway (SSG) Server for providing 
access for the subscriber to the second area, said SSG 
Server connected between said NAS and said AAA 
Server, said SSG Server receiving said access-request 
packet from said NAS, forwarding said access-request 
packet to said AAA Server, receiving said access-reply 
packet in from said AAA Server, and forwarding said 
access-reply packet to said NAS; and 

a processor for processing information in said access- 
reply packet for enabling said SSG Server to automati- 
cally log the subscriber onto said SSG Server when the 
subscriber logs onto said NAS. 

13. The system according to claim 12 wherein said SSG 
Server and said processor may be replaced by a single 
device. 

14. The system of claim 12 wherein said communications 
protocol is the Remote Authentication Dial-In User Service 
(RADIUS) protocol. 

15. A programmable storage device readable by a 
machine tangibly embodying a program of instructions 
executable by the machine to perform method steps for 
providing single step log-on access to a subscriber of a 
computer network having a first area and a second area, said 
method steps comprising: 

linking a Service Selection Gateway (SSG) Server to a 
Network Access Server (NAS), said NAS providing the 
subscriber with access to the first area, and said SSG 
Server providing the subscriber with access to the 
second area, wherein the subscriber supplies data pack- 
ets to log-on to said NAS for said access to the first 
area; 

linking said SSG Server to an Authentication Authoriza- 
tion and Accounting (AAA) Server; 

intercepting and forwarding said data packets sent 
between said NAS and said AAA Server by said SSG 
Server; 

processing information in said data packets for enabling 
said SSG Server to automatically log the subscriber on 
to said SSG Server when the subscriber logs on to said 
NAS. 

16. A programmable storage device readable by a 
machine tangibly embodying a program of instructions 
executable by the machine to perform method steps for 
providing single step log-on access for a subscriber of a 
computer network having a first area and a second separate 
area, said method steps comprising: 

establishing a connection between the subscriber and a 
Network Access Server (NAS); 

routing access-request packets from said NAS to a Ser- 
vice Selection Gateway (SSG) Server; 

utilizing information in said access-request packets to 
initiate log-on for said subscriber to the second area; 

routing said access-request packets from said SSG Server 
to an Authentication Authorization and Accounting 
(AAA) Server to initiate log-on for the subscriber to the 
first area; and 

routing access-reply packets responsive to said access- 
request packets from said AAA Server back to said 
NAS via said SSG Server to complete log-on for the 
subscriber to the first and second areas. 

17. A programmable storage device readable by a 
machine tangibly embodying a program of instructions 
executable by the machine to perform method steps for 
providing single step log-on access to a subscriber of a 
computer network, said computer network differentiated 
into a plurality of areas, said method steps comprising: 
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sending an access-request packet from a Network Access 
Server (NAS) to a Service Selection Gateway (SSG) 
Server when said subscriber connects to said NAS, 
according to a communicatioos protocol; 
forwarding said access-request packet to an Authcntica- 5 

tion Authorization and Accounting (AAA) Server; 
in reply to said access-request packet, sending an access- 
reply packet from said AAA Server back to said SSG 
Server according to said communications protocol; 
checking if said access-reply packet contains an Internet 
Protocol (IP) address for said subscriber, said IP 
address assigned by said AAA Server; 
if said access-reply packet contains said IP address, then: 
logging said subscriber on to said SSG Server with said 
IP address, if said access- reply packet contains 
authorization from said AAA Server; 
forwarding said access-reply packet to said NAS 

according to said communications protocol; and 
logging said subscriber on to said NAS with said IP 
address, if said forwarded access-reply packet con- 
tains authorization from said AAA Server, or 
if said access- reply packet does not contain said IP 
address, then: 

logging said subscriber on to said SSG server with a ^5 
temporary dummy IP address, if said access-reply 
packet contains authorization from said AAA 
Server; 

assigning a user identification number to said sub- 
scriber; 30 

forwarding said access-reply packet and said user 
identification number to said NAS, according to 
said communications protocol; 

logging said subscriber on to said NAS with a 
genuine IP address, if said forwarded access-reply 35 
packet contains authorization from said AAA 
Server; 

sending an accounting-start packet from said NAS to 
said SSG Server, said accounting -start packet con- 
taining said genuine IP address and said user 
identification number, according to said commu- 
nications protocol; 

reading said accounting-start packet to determine 
said genuine IP address of said subscriber; 

replacing said temporary dimimy IP address with 45 
said genuine IP address on said SSG Server; and 

forwarding said accounting-start packet to said AAA 
Server. 

18. The programmable storage device of claim 17, 
wherein said communications protocol is the Remote 
Authentication Dial-In User Service (RADIUS) protocoL 

19. The programmable storage device of claim 18, 
wherein said forwarding step further comprises: 

writing said user identification number into said access- 
reply packet as a RADIUS Attribute. 55 

20. The programmable storage device of claim 19, 
wherein said RADIUS Attribute is a RADIUS Class 
Attribute. 

21. The programmable storage device of claim 17, 
wherein said user identification number is said temporary 
dummy IP address. 

22. An apparatus for providing single step log-on access 
to a subscriber of a computer network having a first area and 
a second area, said apparatus comprising: 

means for linking a Service Selection Gateway (SSG) 65 
Server to a Network Access Server (NAS), said NAS 
providing the subscriber with access to the first area, 
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and said SSG Server providing the subscriber with 
access to the second area, wherein the subscriber sup- 
plies data packets to log-on to said NAS for said access 
to the first area; 

means for linking said SSG Server to an Authentication 
Authorization and Accounting (AAA) Server; 

means for intercepting and forwarding said data packets 
sent between said NAS and said AAA Server by said 
SSG Server; 

means for processing information in said data packets for 
enabling said SSG Server to automatically log the 
subscriber on to said SSG Server when the subscriber 
logs on to said NAS. 

23. An apparatus for providing single step log-on access 
for a subscriber of a computer network having a first area 
and a second separate area, said apparatus comprising: 

means for establishing a connection between the sub- 
scriber and a Network Access Server (NAS); 

means for routing access-request packets from said NAS 
to a Service Selection Gateway (SSG) Server; 

means for utilizing information in said access-request 
packets to initiate log-on for said subscriber to the 
second area; 

means for routing said access-request packets from said 
SSG Server to an Authentication Authorization and 
Accounting (AAA) Server to initiate log-on for the 
subscriber to the first area; and 

means for routing access-reply packets responsive to said 
access-request packets from said AAA Server back to 
said NAS via said SSG Server to complete log-on for 
the subscriber to the first and second areas. 

24. A method for providing single step log-on access to a 
subscriber of a computer network, said computer network 
differentiated into a plurality of areas, said method compris- 
ing: 

means for sending an access-request packet from a Net- 
work Access Server (NAS) to a Service Selection 
Gateway (SSG) Server when said subscriber coimecls 
to said NAS, according to a communications protocol; 

means for forwarding said access-request packet to an 
Authentication Authorization and Accounting (AAA) 
Server; 

means for sending an access-reply packet from said AAA 
Server back to said SSG Server according to said 
communications protocol in reply to said access- 
request packet; 

means for checking if said access-reply packet contains an 
Internet Protocol (IP) address for said subscriber, said 
IP address assigned by said AAA Server; 

means for logging said subscriber on to said SSG Server 
with said IP address, if said access-reply packet con- 
tains authorization from said AAA Server if said 
access- reply packet contains said IP address; 

means for forwarding said access-reply packet to said 
NAS according to said communications protocol; and 

means for logging said subscriber on to said NAS with 
said IP address, if said forwarded access-reply packet 
contains authorization from said AAAServer; or means 
for logging said subscriber on to said SSG server with 
a temporary dummy IP address, if said access-reply 
packet contains authorization from said AAA Server if 
said access-reply packet does not contain said IP 
address; 

means for assigning a user identification number to said 
subscriber; 
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means for forwarding said access-reply packet and said 
user identification number to said NAS, according to 
said communications protocol; 

means for logging said subscriber on to said NAS with a 
genuine IP address, if said forwarded access-reply ^ 
packet contains authorization from said AAA Server; 

means for sending an accounting-start packet from said 
NAS to said SSG Server, said accounting-start packet 
containing said genuine IP address and said user iden- 
tification number, according to said communications 
protocol; 

means for reading said accounting-start packet to deter- 
mine said genuine IP address of said subscriber; 

means for replacing said temporary dummy IP address 
with said genuine IP address on said SSG Server; and 
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means for forwarding said accounting-start packet to said 
AAA Server. 

25. The apparatus of claim 24, wherein said communica- 
tions protocol is the Remote Authentication Dial-In User 
Service (RADIUS) protocol. 

26. The apparatus of claim 25 further comprising: 
means for writing said user identification number into said 

access- reply packet as a RADIUS Attribute. 

27. The apparatus of claim 26, wherein said RADIUS 
Attribute is a RADIUS Class Attribute. 

28. The apparatus of claim 24, wherein said user identi- 
fication number is said temporary dummy IP address. 
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